Apache Commons FileUpload 1.4 RELEASE NOTES The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.4. The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications. Version 1.3 onwards requires Java 6 or later. The 1.4 release removes serialization from DiskFileItem for security reasons, which could be a breaking change depending upon one's mechanism of consumption of commons-fileupload. Changes in version 1.4 include: New features: o Site: added security report Fixed Bugs: o FILEUPLOAD-252: DiskFileItem#write() could lose original IO exception o FILEUPLOAD-258: DiskFileItem#getStoreLocation() wrongly returned a File object for items stored in memory o FILEUPLOAD-242: FileUploadBase - should not silently catch and ignore all Throwables o FILEUPLOAD-257: Fix Javadoc 1.8.0 errors o FILEUPLOAD-234: Fix section "Resource cleanup" of the user guide o FILEUPLOAD-237: Fix streaming example: use FileItem.getInputStream() instead of openStream() o FILEUPLOAD-248: DiskFileItem might suppress critical IOExceptions on rename - use FileUtil.move instead o FILEUPLOAD-251: DiskFileItem#getTempFile() is broken o FILEUPLOAD-250: FileUploadBase - potential resource leak - InputStream not closed on exception o FILEUPLOAD-244: DiskFileItem.readObject fails to close FileInputStream o FILEUPLOAD-245: DiskFileItem.get() may not fully read the data Changes: o FILEUPLOAD-292: Don't create un-needed resources in FileUploadBase.java o FILEUPLOAD-282: Upversion complier.source, compiler.target to 1.6 o FILEUPLOAD-246: FileUpload should use IOUtils.closeQuietly where relevant o FILEUPLOAD-243: Make some MultipartStream private fields final Thanks to Ville Skyttä. For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Apache Commons FileUpload website: http://commons.apache.org/proper/commons-fileupload/ ------------------------------------------------------------------------------ Apache Commons FileUpload 1.3.3 RELEASE NOTES The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.3. The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications. Version 1.3 onwards requires Java 5 or later. No client code changes are required to migrate from version 1.3.0, 1.3.1, or 1.3.2, to 1.3.3 Changes in version 1.3.3 include: o FILEUPLOAD-279: DiskFileItem can no longer be deserialized, unless a particular system property is set. For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Apache Commons FileUpload website: http://commons.apache.org/proper/commons-fileupload/ ------------------------------------------------------------------------------ No client code changes are required to migrate from version 1.3.1 to 1.3.2. Changes in version 1.3.2 include: o FILEUPLOAD-272: Performance Improvement in MultipartStream. Prevents a DoS (CVE-2016-3092) For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Apache Commons FileUpload website: http://commons.apache.org/proper/commons-fileupload/ ------------------------------------------------------------------------------ Apache Commons FileUpload 1.3.1 RELEASE NOTES The Apache Commons FileUpload team is pleased to announce the release of Apache Commons FileUpload 1.3.1. The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications. Version 1.3 onwards requires Java 5 or later. No client code changes are required to migrate from version 1.3.0 to 1.3.1. This is a security and maintenance release that includes an important security fix as well as a small number of bugfixes. Changes in version 1.3.1 include: Fixed Bugs: o SECURITY - CVE-2014-0050. Specially crafted input can trigger a DoS if the buffer used by the MultipartStream is not big enough. When constructing MultipartStream enforce the requirements for buffer size by throwing an IllegalArgumentException if the requested buffer size is too small. This prevents the DoS. o When deserializing DiskFileItems ensure that the repository location, if any, is a valid one. Thanks to Arun Babu Neelicattu. o Correct example in usage documentation so it compiles. For complete information on Apache Commons FileUpload, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Apache Commons FileUpload website: http://commons.apache.org/proper/commons-fileupload/